b"August 20, 2004\nReport No. 04-030\n\n\nRetention Strategies for Failed Insured\nDepository Institution Employees\n\n\n\n\n             AUDIT REPORT\n\x0c                                           TABLE OF CONTENTS\n\nBACKGROUND ................................................................................................................. 1\n\nRESULTS OF AUDIT........................................................................................................ 3\n\nFINDING A: RETENTION DECISIONS ........................................................................ 4\n     Documentation of Retention Strategy Decisions.................................................. 4\n     Retention Decisions for Each Institution Failure................................................. 5\n     Conclusion and Recommendation ....................................................................... 10\n\nFINDING B: PERSONNEL SECURITY ....................................................................... 12\n     Policy and Procedures for Contractor Security................................................. 12\n     Standards for Safeguarding Consumer Information ........................................ 12\n     Background Investigations for Retained Institution Employees...................... 13\n     Conclusion and Recommendations ..................................................................... 14\n\nCORPORATION COMMENTS AND OIG EVALUATION....................................... 15\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY............................. 17\n\nAPPENDIX II: CORPORATION COMMENTS ........................................................ 20\n\nAPPENDIX III: MANAGEMENT RESPONSES TO\n              RECOMMENDATIONS..................................................................... 22\n\nTABLE\n\nDRR\xe2\x80\x99s Documentation of Retention Strategy Decisions ................................................. 4\n\x0c\x0cAs required by the FDIC Improvement Act of 1991,4 each resolution of a failed insured financial\ninstitution5 is to be the least costly possible under the circumstances. Within the FDIC, DRR is\nprimarily responsible for ensuring that the requirements of the Act are fulfilled. Specifically, as\nstated in DRR\xe2\x80\x99s 2003 Strategic Plan \xe2\x80\x9cDRR exists to plan and efficiently handle the resolutions of\nfailing FDIC-insured institutions and to provide prompt, responsive, and efficient administration\nof failing and failed financial institutions in order to maintain confidence and stability in our\nfinancial system.\xe2\x80\x9d To fulfill its mission, DRR monitors troubled banks and plans for resolution\nactivities. DRR has developed policies, procedures, and other guidance to cover most aspects of\nthese operations, including the: Resolutions Handbook, Failed Financial Institutions Closing\nManual (Closing Manual), and Resolutions Policy Manual.\n\nEven before a failing financial institution is closed, DRR performs considerable work during the\npre-closing period. DRR\xe2\x80\x99s pre-closing efforts include valuing an institution's assets to determine\nresolution options, estimating the liquidation value of the assets, and calculating the cost of a\ndeposit payoff and/or loss to the insurance fund. One important DRR decision during the pre-\nclosing period is whether to retain former institution employees to assist DRR in the operations\nof the receivership. DRR assesses whether retaining and paying former institution employees is\nthe most cost-effective way to maintain asset values and ensure a smooth resolution. To retain\nsuch employees, DRR generally engages the former employees through third-party contractors or\ncompensates the assuming bank for associated personnel costs and continues the former\nemployees\xe2\x80\x99 pay. DRR may also offer various bonuses and benefits as incentives for the\nemployees to continue working as long as their services are needed.\n\nThe primary responsibility for managing the operations of an FDIC receivership is shared by two\nDRR officials:\n\n    \xe2\x80\xa2    The Receiver-in-Charge (RIC) is the coordinator for DRR operational activities in\n         preparing an institution for receivership and has delegated authority to act on behalf of\n         the receivership.\n\n    \xe2\x80\xa2    The Closing Manager (CM) is responsible for supervising all aspects of the institution\xe2\x80\x99s\n         closing and reports to the RIC.\n\nDuring the audit period, DRR had no formal written policies or procedures in place related to\nretaining former institution employees. However, in a revision to DRR\xe2\x80\x99s Closing Manual, dated\nDecember 2003, procedures were added to address the use of such employees. Specifically, the\nmanual states that in anticipation of prolonged receivership activities in the field, the RIC\ncoordinates efforts with DRR\xe2\x80\x99s Asset Management Unit in establishing a field site, including\nconsideration of the use of failed bank employees employed through the use of a payroll services\nor asset management contractor. The Closing Manual further states \xe2\x80\x9c[t]he RIC and post closing\nAsset Management Team leader seek recommendations from the payroll services or asset\n\n\n\n4\n  P.L. No. 102-242, codified throughout title 12, U.S.C.\n5\n  The resolution process involves valuing a failing federally insured depository institution, marketing it, soliciting\nand accepting bids for the sale of the institution, determining which bid is least costly to the insurance fund, and\nworking with the acquiring institution(s) through the closing process (or ensuring the payment of insured deposits in\nthe event there is no acquirer).\n                                                          2\n\x0cmanagement contractors for post closing retention incentives, giving consideration to: a) cost of the\nincentive vs. the disruptive cost to the receivership should the employees leave, b) industry\nstandards, and c) alternative retention strategies.\xe2\x80\x9d\n\nDuring the period covered by our audit, January 1, 2002 through October 31, 2003, 13 insured\ndepository institutions failed with assets totaling about $3.6 billion. Of the 13 failed institutions,\neach of the following 4 institutions had more than $100 million in assets at the time of closing:\n\n     \xe2\x80\xa2   Hamilton Bank, NA (Hamilton) of Miami, Florida ($1.2 billion);\n     \xe2\x80\xa2   NextBank, NA (NextBank) of Phoenix, Arizona ($669 million);\n     \xe2\x80\xa2   Connecticut Bank of Commerce (CBC) of Stamford, Connecticut ($379 million); and\n     \xe2\x80\xa2   Southern Pacific Bank (Southern Pacific) of Torrance, California ($1.1 billion).\n\nWe selected these four institutions for review because of their size and because DRR, through third-\nparty contractors, offered retention packages to selected former employees. 6\n\nRESULTS OF AUDIT\n\nFor the four institutions we reviewed, DRR\xe2\x80\x99s decisions to retain and pay failed institution\nemployees to assist in the orderly transition of receiverships appeared reasonable. However,\nDRR could have better documented the basis for the retention decisions. In addition, DRR could\nhave implemented better personnel security practices when hiring the former institution\nemployees through third-party contractors.\n\n    \xe2\x80\xa2    DRR\xe2\x80\x99s decisions to retain and pay former institution employees to assist in the operations\n         of its receiverships appeared justified given the specific circumstances of the closed\n         institutions. Also, retention decisions were adequately communicated to, and approved\n         by, appropriate FDIC management officials. However, to ensure that future retention\n         decisions are adequately supported and defensible, the DRR should more fully document\n         its considerations of (1) the cost of incentives as compared to the disruptive cost to the\n         receivership should the former institution employees leave, (2) industry retention\n         standards, and (3) alternative retention strategies (see Finding A: Retention Decisions).\n\n    \xe2\x80\xa2    DRR did not always require that former institution employees be subject to some form of\n         background check before allowing their continued access to sensitive financial and\n         customer information. Although no specific misuse was identified, the potential for\n         misuse of sensitive institution and customer information by former institution employees\n         in the operations of the receivership could place the FDIC at significant financial and\n         reputational risk for not adequately protecting sensitive information (see Finding B:\n         Personnel Security).\n\nWe are recommending that DRR improve policy and procedures related to assessing and\ndocumenting retention decisions and decisions related to contractor personnel security.\n\n\n6\n  All of the employees retained from the four institutions were hired through third-party contractors. However, DRR\napproved those retention decisions and, for the purposes of this report, we consider the retention decisions to be\nthose of DRR.\n                                                        3\n\x0c                            FINDINGS AND RECOMMENDATIONS\n\nFINDING A: RETENTION DECISIONS\n\nDRR\xe2\x80\x99s decisions to retain former institution employees from the four failed institutions we\nreviewed appeared reasonable given the circumstances surrounding each failure. Moreover,\nDRR\xe2\x80\x99s retention decisions were sufficiently communicated to, and approved by, the appropriate\nlevels of FDIC management. In addition, DRR adequately documented, in qualitative terms, its\ncomparison of the cost of the retention incentives to the cost to the receiverships should selected\nformer institution employees leave. However, DRR did not always adequately document its\nconsideration of industry standards and alternative retention strategies.\n\nDocumentation of Retention Strategy Decisions\n\nDRR\xe2\x80\x99s December 2003 revision to its Closing Manual did not specify how DRR personnel were\nto document the retention considerations; therefore, for the purpose of this report, we established\nthe following criteria for assessing the adequacy of such documentation.\n\n    \xe2\x80\xa2   Consideration of Incentive Cost Compared to Disruptive Cost\xe2\x80\x94An analysis\n        comparing the estimated quantitative and/or qualitative cost of retaining the former\n        employees as compared to the estimated disruptive cost should the former employees not\n        be retained. The analysis should contain sufficient detail so that any reasonable party\n        could reach the same decision.\n\n    \xe2\x80\xa2   Consideration of Industry Retention Standards\xe2\x80\x94A detailed discussion of the\n        financial institution or company benchmarks used for determining whether DRR\xe2\x80\x99s\n        retention package was reasonable.\n\n    \xe2\x80\xa2   Consideration of Alternative Retention Strategies\xe2\x80\x94A detailed discussion, preferably\n        supplemented with analytical information, indicating the alternative strategies considered\n        for a particular resolution. The discussion should indicate the reasons alternative\n        strategies were deemed unacceptable under the circumstances.\n\nThe table below summarizes our assessment of how adequately DRR documented its\nconsideration of the elements described above for the four institutions we reviewed.\n\nTable: DRR\xe2\x80\x99s Documentation of Retention Strategy Decisions\n                        Consideration of the Cost of the\n                      Incentive vs. Disruptive Cost to the                               Consideration of\n                      Receivership Should the Employees Consideration of Industry     Alternative Retention\n    Institution                      Leave                          Standards                Strategies\n     Hamilton                  Adequately Documented          Partially Documented     Partially Documented\n    NextBank                   Adequately Documented          Partially Documented     Partially Documented\n       CBC                     Adequately Documented          Partially Documented    Adequately Documented\n Southern Pacific              Adequately Documented          Partially Documented     Partially Documented\nSource: OIG analysis of documentation provided by DRR for each institution closing.\n\n\n\n\n                                                    4\n\x0cRetention Decisions for Each Institution Failure\n\nBased on the specific circumstances of each institution failure, DRR\xe2\x80\x99s retention decisions\nappeared to be justified. For the four institutions, DRR adequately supported that the FDIC\nwould be best served by retaining former institution employees, through third-party contractors,\nto assist DRR with the orderly transition of the receivership. In addition, for each of the four\nretention decisions we reviewed, DRR prepared a Strategic Resolution Plan (SRP)7 to document\nits retention decisions and needs and a case8 to request the necessary expenditure authority. In\naddition to oral statements made by DRR officials to the audit team during the audit, these two\ndocuments further supported DRR\xe2\x80\x99s need to retain former institution employees and evidenced\nthat the retention decisions were sufficiently communicated to senior management.\n\nDetails on the retention decisions for the four institutions follow.\n\n\xe2\x80\xa2   Hamilton\n\n       Value of                                                                    No. of          Maximum\n      Retention                                                                   Retained         Length of\n       Package            Maximum Terms of Retention Package                     Employees         Retention\n      $2,988,089 \xe2\x80\xa2        Retention bonus 20 percent if employee stays                  139        6 months\n                          until 6/30/02 (approximately 6 months after\n                          the closing date)\n                     \xe2\x80\xa2    Health benefits\n                     \xe2\x80\xa2    Additional bonus ranging from 5 percent to\n                          60 percent for mission-critical employees\n\nDRR\xe2\x80\x99s decision to retain former institution employees from Hamilton, which closed January 11,\n2002, appeared reasonable and adequately supported based on the circumstances surrounding the\nresolution. During pre-closing, DRR\xe2\x80\x99s closing team concluded that the services of an outside\nasset manager would be needed to handle Hamilton\xe2\x80\x99s portfolio of international loans because\nDRR staff did not have the necessary expertise. About 140 Hamilton employees were retained\nthrough the asset management contractor for periods of up to 6 months at a total cost of about\n$3 million. This retention decision was communicated to appropriate FDIC management.\nSpecifically, the asset management contractors that DRR used to retain and pay selected former\nHamilton employees occurred under two contracts,9 and DRR documented its retention decision\nin the Hamilton pre-closing SRP, dated December 6, 2001. The SRP stated that an international\ncredit advisory services contractor would be engaged to manage the day-to-day trade financing\noperation, using Hamilton personnel to the extent possible. In addition, the Hamilton failing\nbank case, sent to the FDIC Board of Directors on January 4, 2002, explained that a contractor\n7\n  The SRP is intended to promote the development of a singular inter-divisional coordination plan and provide the\nResolutions Coordinator (RC) and RIC with a resolution planning and management tool. Among other uses, the\nSRP serves to assist in early identification of potential issues/problems and provide senior management with an\nearly warning of potential resolution issues. Usually within 90 days after institutional failure, the SRP is replaced by\nthe Receivership Business Plan (RBP), which serves the same purpose as the SRP.\n8\n  For the purpose of this report, a case may take the form of a memorandum to the FDIC Board of Directors, DRR\nReceivership Oversight Committee, or the RIC, requesting certain expenditures of funds during the resolution\nprocess.\n9\n  Approximately 80 employees were hired under the Allan C. Ewing contract, and 60 employees were hired under\nthe On Call Staffing contract.\n                                                           5\n\x0cwas on board to provide oversight and management of the international assets in order to\npreserve the value of the assets and that most of Hamilton\xe2\x80\x99s existing loan department personnel\nwould be retained by the contractor. The case also indicated that expenditure authority for the\ncontract activities was provided under the Consolidated Contracting Expenditure Authority Case\napproved in July 1999.10 Finally, a DRR January 24, 2002 memorandum to the DRR\nReceivership Oversight Committee stated that Hamilton employees would be performing\nspecialized functions such as accounting, management information systems work, or asset\nmarketing assistance.\n\nCost of the Incentive vs. Disruptive Cost to the Receivership\n\nDRR adequately documented, in qualitative terms, its comparison of the cost of the retention\nincentive to the cost to the receivership should the employees leave. Specifically, as stated\nearlier, the Hamilton SRP and failing bank case clearly described DRR\xe2\x80\x99s rationale for using\nHamilton employees, through asset management contractors, to perform certain receivership\nfunctions.\n\nConsideration of Industry Standards\n\nDRR partially documented its consideration of industry standards in the Hamilton retention\ndecision. Specifically, one of the Hamilton cases authorizing the use of an outside contractor\nindicated that the two Hamilton retention packages provided comparable benefits to employees\nunder both the asset management services contract and the temporary services contract.\nHowever, there was no evidence in any of the documents we reviewed that either DRR or its\noutside contractors considered industry standards in developing the retention packages.\n\nAlternative Retention Strategies\n\nDRR partially documented its consideration of alternative retention strategies. Specifically, the\nJanuary 24, 2002 memorandum to the Receivership Oversight Committee identified two\nalternative strategies. The first alternative strategy was to employ all former institution\nemployees under the Allen C. Ewing asset services contract, and the second strategy was to\nemploy institution employees under a separate FDIC temporary services contract. However,\nDRR\xe2\x80\x99s documentation of alternative retention strategies would have been more complete had the\nmemorandum clearly indicated why alternative strategies were deemed unacceptable.\n\n\xe2\x80\xa2    NextBank\n\n      Value of                                                            No. of          Maximum\n      Retention                                                          Retained         Length of\n      Package     Maximum Terms of Retention Package                    Employees         Retention\n     $37,087,000 \xe2\x80\xa2 Terms and conditions identical to current                   454      6 months (with\n                   employment (salaries and benefits)                                    one 3-month\n                 \xe2\x80\xa2 Retention bonuses up to 4 months\xe2\x80\x99 salary                               extension)\n\n\n\n10\n  The case was approved by the FDIC Board of Directors and was developed to obtain expenditure authority for the\nconsolidated contracting plan for resolutions and receiverships.\n                                                       6\n\x0cDRR\xe2\x80\x99s decision to retain selected employees, through the use of a contractor, following the\nfailure of NextBank, closed on February 7, 2002, appeared reasonable and adequately supported\nbased on the circumstances of the resolution. Specifically, DRR decided to negotiate with\nNextCard, Inc. (NextCard) \xe2\x80\x94 NextBank's holding company11 \xe2\x80\x94 to retain NextCard\xe2\x80\x99s servicing\nemployees because of the complex and specialized nature of the servicing operation and to\nattempt to avoid the early amortization of a related securitization.12 This was necessary because\nNextBank had virtually no employees of its own, and DRR believed that the loss of the\nNextCard servicing employees would have had an adverse effect on the value of NextBank\xe2\x80\x99s\nassets.\n\nNextBank, one of the first Internet banks, focused on the subprime loan market and sold a\nnumber of products and credit card plans with unique features. According to a DRR official,\ncredit cards represent a unique type of asset, and the FDIC needed to retain the expertise of the\nholding company\xe2\x80\x99s employees to help manage the credit card operations. Additionally, DRR\nconcluded that experienced servicing staff were needed to run the specialized software used to\nmaintain the credit card accounts. According to DRR officials, at the time of the closing,\nPhoenix, Arizona, was a hot market for the services required by the receivership, and the closing\nteam was concerned that it would lose a number of needed servicing employees if a retention\npackage was not offered. In total, about 450 NextCard employees were retained through a\ncontractor for about 6 months at an estimated cost of $37 million.\n\nDRR\xe2\x80\x99s NextBank retention decision was adequately communicated to appropriate FDIC\nmanagement. Specifically, the NextBank SRP, dated February 26, 2002, clearly showed plans to\nretain NextCard servicing employees under a temporary employment contract. Similarly, in a\nmemorandum to the FDIC Board of Directors, dated February 28, 2002, the Director, DRR,\ncommunicated the intent to retain NextCard servicing employees to assist with the operations of\nthe receivership.\n\nCost of the Incentive vs. Disruptive Cost to the Receivership\n\nDRR adequately documented, in qualitative terms, its comparison of the cost of the retention\nincentive to the cost to the receivership should the employees leave. Specifically, the NextBank\nSRP, dated February 26, 2002, stated that the least disruptive, most logical, and most cost-\neffective method for completing the sale and transfer of assets would be to retain NextCard\nservicing employees under a temporary employment contract. The Director, DRR, included\nsimilar language in the case memorandum, dated February 28, 2002, to the FDIC Board of\nDirectors. The case also summarized the proposed retention expenses and provided estimated\ncosts under the agreement and the cost for the existing servicing employees.\n\nConsideration of Industry Retention Standards\n\nDRR partially documented its consideration of industry retention standards. According to a\nDRR official, based on instructions in its basic ordering agreement (BOA), a temporary\nemployment contractor initially developed a retention package. Once the contractor developed\n\n11\n   The Bank Holding Company Act of 1956 defines a bank holding company as any company that has control over\nany bank or over any company that is or becomes a bank holding company by virtue of the Act.\n12\n   Securitization is the process by which loans are packaged into pools that are then used as collateral to back\nsecurities sold to investors in the capital markets.\n                                                        7\n\x0cthe package, DRR\xe2\x80\x99s closing team shared the retention package with another contractor, First\nAnnapolis Consulting,13 for its assessment of the reasonableness of the package. However, there\nwas no indication of other company or industry retention packages that were used as benchmarks\nfor comparison purposes.\n\nAlternative Retention Strategies\n\nDRR partially documented its consideration of alternative retention strategies. As previously\ndiscussed, before NextBank was closed, DRR\xe2\x80\x99s closing team made the decision to negotiate with\nNextCard to retain its servicing employees through a contractor because of the complexity of the\ncredit card operation. Although the decision to retain servicing employees through a payroll\ncontractor was well documented in the SRP and DRR Director\xe2\x80\x99s memorandum to the FDIC\nBoard, DRR did not clearly document why alternative strategies were deemed unacceptable.\n\n\xe2\x80\xa2    Connecticut Bank of Commerce\n\n      Value of                                                                  No. of           Maximum\n     Retention                                                                 Retained          Length of\n      Package            Maximum Terms of Retention Package                   Employees          Retention\n     $1,755,431 \xe2\x80\xa2        Health insurance                                              34        5 months\n                \xe2\x80\xa2        Overtime pay at 1.5 times the straight time\n                         rate\n                     \xe2\x80\xa2   Bonus of 20 percent of base annual salary\n\nDRR\xe2\x80\x99s decision to retain former institution employees from CBC, which closed June 26, 2002,\nappeared reasonable and adequately supported based on the circumstances surrounding the\nresolution. According to DRR officials, CBC\xe2\x80\x99s loan portfolios included a complex mix of\nmanufacturing loans, and CBC\xe2\x80\x99s employees had the expertise and institutional knowledge\nthat the FDIC staff did not possess. Approximately 34 former CBC employees were retained\nthrough a contractor for about 5 months, until the sale and transfer of assets was completed, at an\nestimated cost of $1.8 million.\n\nDRR adequately communicated its decision to retain former CBC employees through an asset\nmanagement contractor. Specifically, in the SRP for CBC, dated July 5, 2002, DRR clearly\nstated its intent to retain selected CBC employees. The SRP for CBC stated that to maintain the\ncontinuity and value within the different portfolio lines and to be as non-disruptive as possible,\nthe FDIC staff would work with former CBC employees. The SRP also concluded that hiring\nformer CBC employees was the least disruptive and most logical and cost-effective way to\nmaintain the value of the loan portfolio. Also, a July 9, 2002 case memorandum approved by the\nRIC stated that due to the specialized nature of the receivership\xe2\x80\x99s asset base, it was essential that\nthe FDIC retain selected bank employees during the closing and marketing process.\n\n\n\n\n13\n  First Annapolis Consulting was engaged to advise the FDIC on a variety of issues related to credit cards. Among\nother things, the contractor was to assist the FDIC in establishing market prices for various servicing and processing\nfunctions and to advise the FDIC in the areas of fraud, technology, and issues involving the servicing and processing\nof credit cards.\n                                                          8\n\x0cCost of the Incentive vs. Disruptive Cost to the Receivership\n\nDRR adequately documented its comparison of the cost of the retention incentive to the cost to\nthe receivership should the former CBC employees leave. The CBC SRP and case memorandum\nindicated that in maintaining the value of the CBC portfolio during the receivership, DRR\nconsidered it cost-beneficial to use CBC employees already living in the New York City and\nsouthwestern Connecticut areas as compared to temporarily housing FDIC staff in this high-cost\narea.\n\nConsideration of Industry Retention Standards\n\nDRR partially documented its consideration of industry retention standards in the retention\ndecision for CBC. Although DRR officials stated that the retention packages for the retained\nCBC employees were based on the employees\xe2\x80\x99 previous earnings (with some reduction in\nbenefits), there was no indication of other company or industry retention packages that were used\nas benchmarks for comparison purposes.\n\nAlternative Retention Strategies\n\nDRR adequately documented its consideration of alternative retention strategies. Specifically, in\naddition to recommending that selected former CBC employees be used during the closing and\nmarketing process, the July 9, 2002 case memorandum included the following alternatives:\n(1) using FDIC personnel to perform all the receivership functions or (2) contracting with the\nassuming bank for interim portfolio servicing. The case also contained a section entitled\nSubstantiation, which briefly described the advantages of retaining former CBC employees.\n\n\xe2\x80\xa2   Southern Pacific\n\n     Value of                                                           No. of   Maximum\n     Retention                                                         Retained  Length of\n     Package          Maximum Terms of Retention Package              Employees Retention\n      $625,000 \xe2\x80\xa2    Bonus of 5 percent of annual compensation plus           126 6 months\n                    40 hours at employee's hourly rate for each\n                    month the employee remains beyond 4/1/03\n                    (approximately 2 months after the closing date)\n                \xe2\x80\xa2   Maximum bonus of 160 hours plus 5 percent of\n                    annual compensation\n\nDRR\xe2\x80\x99s decision to retain former institution employees, through an asset management contractor,\nfrom Southern Pacific Bank, which closed February 7, 2003, appeared reasonable and adequately\nsupported based on the circumstances surrounding the resolution. Specifically, Southern\nPacific\xe2\x80\x99s unique lending activities included asset-based lending; loans to the airline, technology,\nand communications industries; and operation of a division that provided financing for\nindependent motion picture productions \xe2\x80\x94 areas in which DRR claimed to have had little\nexpertise in marketing and liquidating. Accordingly, DRR\xe2\x80\x99s Asset Management Unit considered\nit better for the FDIC to retain the service of an outside asset management contractor. The\nretention decision was further supported by language in a February 24, 2003 memorandum from\nthe asset management contractor to the Oversight Manager. The memorandum requested that\n                                                 9\n\x0cincentive compensation be authorized to retain selected former Southern Pacific employees,\nstating that the receivership was thinly staffed and that the remaining Southern Pacific personnel\nwere deemed critical to the successful liquidation of receivership assets and the winding up of\nbank affairs. Ultimately, 126 Southern Pacific Bank employees were retained through an asset\nmanagement contractor for about 6 months at an estimated cost of $625,000.\n\nDRR adequately communicated its decision to retain former Southern Pacific employees.\nSpecifically, an expenditure case, dated November 20, 2002, submitted to the Director of DRR,\nrequested authorization to hire an asset management contractor to assist in the liquidation,\nadministration, and servicing of the Southern Pacific Bank loan portfolio. The case also stated\nthat the contractor would use its best efforts to ensure that the FDIC realized maximum return\nand required the contractor to assess bank personnel to determine retention post-closing to\ncontinue the asset management and servicing functions. The SRP, dated January 17, 2003, also\ndiscussed the use of an asset management contractor and Southern Pacific employees.\n\nCost of the Incentive vs. Disruptive Cost to the Receivership\n\nDRR adequately documented, in qualitative terms, its comparison of the cost of the incentive\npackage to the cost to the receivership should the former Southern Pacific employees leave.\nSpecifically, the SRP indicated that an asset management contractor would be needed due to the\ncomplexity, size, and volume of Southern Pacific\xe2\x80\x99s commercial loan assets.\n\nConsideration of Industry Retention Standards\n\nDRR partially documented its consideration of industry retention standards in its retention\ndecision for Southern Pacific. Although the contractor-developed retention package (provided to\nthe FDIC for its approval) compared the proposed Southern Pacific retention costs to those of\nHamilton Bank, DRR\xe2\x80\x99s retention decision would have been more fully documented had DRR\nprovided documentation showing the contractor used other company or industry retention\npackages as benchmarks for comparison purposes.\n\nAlternative Retention Strategies\n\nDRR partially documented its consideration of alternative retention strategies. As previously\nstated, the Southern Pacific SRP and case memorandum adequately documented DRR\xe2\x80\x99s decision\nto use an outside asset management contractor to hire former Southern Pacific employees to\nperform the liquidation services. However, DRR\xe2\x80\x99s documentation of alternative retention\nstrategies would have been more complete had the SRP or case memorandum clearly addressed\nthe comparative advantages of alternative strategies.\n\nConclusion and Recommendation\n\nOverall, DRR\xe2\x80\x99s decisions to retain former institution employees from the four failed institutions\nwe reviewed appeared reasonable, given the circumstances of each failure. Moreover, DRR\xe2\x80\x99s\nretention decisions were sufficiently communicated to the appropriate FDIC management level.\nNonetheless, DRR should clearly document future retention decisions to ensure they are fully\nsupportable and defensible.\n\n                                                10\n\x0cWe recommend that the Director, DRR:\n\n(1) Establish guidance in the Failed Financial Institution Closing Manual that clarifies the\n    nature and extent of analysis that should be conducted and documented by the RIC and post-\n    closing Asset Management Team Leader for use in assessing the consideration given to\n    (a) the costs to the receivership of retention incentives in comparison to the costs should\n    former institution employees leave, (b) industry retention standards, and (c) alternative\n    retention strategies.\n\n\n\n\n                                              11\n\x0cFINDING B: PERSONNEL SECURITY\n\nDRR can better protect against the misuse of sensitive financial and customer information by\nformer institution employees retained to assist in liquidating receiverships. Specifically, DRR\ndid not always require some level of background investigation for former institution employees\nprior to, or soon after, gaining access to sensitive information. The appropriate level of\nbackground investigation is dependent on the circumstances surrounding a particular closing,\nincluding the duration of the receivership, personnel security controls in place at the former\ninstitution, and the nature of the information available. Consideration of the need for some level\nof background investigation is important because former institution employees were expected to\nremain at the four institutions for up to 9 months, thereby placing sensitive institution and\ncustomer information at risk of potential compromise.\n\nPolicy and Procedures for Contractor Security\n\nFDIC policy and procedures regarding contractor security are contained in FDIC Directive\n1610.2, Security Policy and Procedures for FDIC Contractors and Subcontractors, dated\nAugust 1, 2003. Directive 1610.2 describes a background investigation as a check or checks that\nDOA completes for contractors and its personnel to ensure they meet minimum security and\nfitness standards as set forth by the FDIC. As stated in the directive, the checks include:\n\n     \xe2\x80\xa2   fingerprint criminal records checks by the Federal Bureau of Investigation (FBI);\n\n     \xe2\x80\xa2   checks of various on-line data bases, such as Lexis/Nexis, Dun and Bradstreet, and the\n         General Services Administration Debarred and Suspended Bidders List; and\n\n     \xe2\x80\xa2   various background investigations conducted by the U.S. Office of Personnel\n         Management (OPM).\n\nHowever, the directive also exempts contractor employees at receiverships from the background\nrequirements. Specifically, the directive states: \xe2\x80\x9c. . . no background investigation or fingerprint\nchecks shall be required when a receivership is created, except when a receivership is of a\nlong-term nature. . . .\xe2\x80\x9d\n\nStandards for Safeguarding Consumer Information\n\nIn Financial Institution Letter (FIL), FIL-22-2001, Security Standards for Customer Information,\ndated March 14, 2001, the FDIC, Board of Governors of the Federal Reserve System, Office of\nthe Comptroller of the Currency, and Office of Thrift Supervision jointly approved and issued\nstandards for safeguarding customer information as required by the Gramm-Leach-Bliley Act\n(GLBA).14 The FIL describes the agencies' expectations for creating, implementing, and\nmaintaining an information security program, to include administrative, technical, and physical\nsafeguards appropriate to the size and complexity of the institution and the nature and scope of\nits activities. The objectives of the standards are to:\n\n14\n  GLBA (Pub. L. No. 106-102) substantially repealed the provisions of the Glass-Steagall Act and amended the\nBank Holding Company Act to eliminate barriers preventing the affiliations of banks with securities firms and\ninsurance companies.\n                                                       12\n\x0c     \xe2\x80\xa2   ensure the security and confidentiality of customer information,\n\n     \xe2\x80\xa2   protect against any anticipated threats or hazards to the security or integrity of such\n         information, and\n\n     \xe2\x80\xa2   protect against unauthorized access to or use of customer information that could result in\n         substantial harm or inconvenience to any customer.\n\nThe FIL also describes the oversight role of the institution's board of directors in this process and\nits continuing duty to evaluate and oversee the program's overall status. Institutions are required\nto:\n\n     \xe2\x80\xa2   identify and assess the risks that may threaten customer information;\n\n     \xe2\x80\xa2   develop a written plan containing policies and procedures to manage and control the\n         risks;\n\n     \xe2\x80\xa2   implement and test the plan; and\n\n     \xe2\x80\xa2   adjust the plan on a continuing basis to account for changes in technology, sensitivity of\n         customer information, and internal or external threats to information security.\n\nAdditionally, the FIL describes the elements of a comprehensive risk-management plan designed\nto control identified risks and achieve the overall objective of ensuring the security and\nconfidentiality of customer information. These elements identify the factors that an institution\nshould consider in evaluating the adequacy of its policies and procedures to effectively manage\nrisks commensurate with the sensitivity of customer information and the complexity and scope\nof the institution and its activities. The FDIC, acting in its receivership capacity, could\nreasonably be expected to comply with these guidelines. More specifically, the RIC and\nContracting Officer should take steps consistent with those described for a board of directors to\nensure security, confidentiality, and integrity of sensitive information, including that of\ncustomers.\n\nBackground Investigations for Retained Institution Employees\n\nDRR retained about 750 employees from the four failed institutions we reviewed to assist in\nresolution activities utilizing the services of various contractors. These former institution\nemployees, working for contractors, assisted DRR in managing receivership assets valued at over\n$3.3 billion. In managing the receivership assets, the former employees had access to sensitive\nfinancial information, including loan files and bid packages. In addition, the former institution\nemployees had access to sensitive customer information, including account balances, social\nsecurity numbers, addresses, and telephone numbers. Nevertheless, background investigations\nand fingerprinting were only completed for former Hamilton employees.15\n\n\n\n15\n   According to an FDIC contracting official, the decision to submit Hamilton employees to background and\nfingerprint checks was a mistake, and the FDIC would not make such a decision again.\n                                                       13\n\x0cWe recognize that the expense of obtaining FBI fingerprint checks or OPM background\ninvestigations for failed institution employees may not be warranted when a receivership is\nexpected to last only a few weeks. However, such efforts are warranted when the use of former\ninstitution employees is expected to last several months. Although the DRR closing team may\nhave closely monitored the employees from the four institutions we reviewed, the employees\nwere expected to remain at the institutions up to 9 months. Therefore, an adequate consideration\nof the need for a particular level of background investigation is important because former\ninstitution employees clearly had an opportunity to compromise sensitive institution and\ncustomer information. In assessing the need for additional personnel security requirements,\nconsideration of the institution\xe2\x80\x99s personnel security program in place at the time it was closed\nmay impact decisions for additional personnel security requirements.\n\nConclusion and Recommendations\n\nAlthough we found no evidence that any of the failed institution employees misused the sensitive\ninformation to which they had access, the potential for misuse placed the FDIC and former\ninstitution customers at risk of compromise. For example, with respect to the FDIC, loan file\ninformation could be inappropriately shared with potential bidders which could negatively\nimpact the results of institution loan sales. Additionally, former institution customers could be at\nrisk of identity theft,16 which can cause significant financial harm to the customer. Therefore,\nDRR needs to assess the risk associated with former institution employees gaining access to\nsensitive information before such access is granted.\n\nWe recommend that the Director, DRR, in conjunction with the Director, DOA:\n\n(2) Revise Directive 1610.2 to include guidance for determining when a receivership is of a\n    long-term nature and warrants consideration of background investigations for retained failed\n    institution employees.\n\nWe recommend that the Director, DRR:\n\n(3) Revise the Closing Manual to require that the RIC and the post-closing Asset Management\n    Team Leader assess the risk of compromise of sensitive institution and customer information\n    for each failed insured depository institution that will require a long-term receivership and\n    for which former institution employees will be retained. Based on the assessment, a decision\n    should be made regarding whether any or all of the following should be completed for the\n    retained institution employees: background investigations, fingerprint checks, credit checks,\n    or signed statements of nondisclosure.\n\n(4) Revise the Closing Manual to require that the RIC and the post-closing Asset Management\n    Team Leader document the results of the risk assessment described in recommendation 3 in\n    the receivership\xe2\x80\x99s Strategic Resolution Plan and/or subsequent post-closing receivership\n    reports.\n\n\n\n16\n  Identity theft occurs when someone uses personal information without permission to commit fraud or other\ncrimes. Victims may also lose job opportunities; be refused loans, education, housing, or cars; or may get arrested\nfor crimes they did not commit.\n                                                         14\n\x0cCORPORATION COMMENTS AND OIG EVALUATION\n\nOn August 11, 2004, the DRR Director provided a written response to a draft of this report. The\nresponse is presented in Appendix II to this report. The Director concurred with all four\nrecommendations. A summary of the Director\xe2\x80\x99s response to each of the four recommendations\nand our analysis follows. See Appendix III for additional details on the status of the\nrecommendations.\n\n(1) Establish guidance in the Failed Financial Institution Closing Manual that clarifies the\n    nature and extent of analysis that should be conducted and documented by the RIC\n    and post-closing Asset Management Team Leader for use in assessing the\n    consideration given to (a) the costs to the receivership of retention incentives in\n    comparison to the costs should former institution employees leave, (b) industry\n    retention standards, and (c) alternative retention strategies.\n\nDRR management agreed with this recommendation. The response indicated that DRR will\nreview current guidelines and, where necessary, clarify or compose additional guidelines for\ninclusion in the Failed Financial Institution Closing Manual by October 31, 2004.\n\nManagement\xe2\x80\x99s planned actions are responsive to the recommendation. The recommendation is\nresolved but will remain undispositioned and open until we have determined that agreed-to\ncorrective actions have been completed and are effective.\n\n(2) Revise Directive 1610.2 to include guidance for determining when a receivership is of a\n    long-term nature and warrants consideration of background investigations for\n    retained failed institution employees.\n\nDRR management agreed with this recommendation. DRR, in conjunction with DOA, will\nestablish guidelines by December 31, 2004 that define a long-term receivership and address\nreceiverships that are considered long-term in nature.\n\nManagement\xe2\x80\x99s planned actions are responsive to the recommendation. The recommendation is\nresolved but will remain undispositioned and open until we have determined that agreed-to\ncorrective actions have been completed and are effective.\n\n(3) Revise the Closing Manual to require that the RIC and the post-closing Asset\n    Management Team Leader assess the risk of compromise of sensitive institution and\n    customer information for each failed insured depository institution that will require a\n    long-term receivership and for which former institution employees will be retained.\n    Based on the assessment, a decision should be made regarding whether any or all of\n    the following should be completed for the retained institution employees: background\n    investigations, fingerprint checks, credit checks, or signed statements of nondisclosure.\n\nDRR management agreed with this recommendation. DRR will review the risk assessment\nguidelines contained in DOA Directive 1610.2 and will revise the Closing Manual as it pertains\n\n\n\n\n                                               15\n\x0cto the retention of employees of a failed institution and their involvement with customer\ninformation in a long-term receivership. Management plans to complete the revisions by\nDecember 31, 2004.\n\nManagement\xe2\x80\x99s planned actions are responsive to the recommendation. The recommendation is\nresolved but will remain undispositioned and open until we have determined that agreed-to\ncorrective actions have been completed and are effective.\n\n(4) Revise the Closing Manual to require that the RIC and the post-closing Asset\n    Management Team Leader document the results of the risk assessment described in\n    recommendation 3 in the receivership\xe2\x80\x99s Strategic Resolution Plan and/or subsequent\n    post-closing receivership reports.\n\nDRR management agreed with this recommendation. The documentation required to be retained\nwill be addressed in the guidelines discussed in response to recommendation 3. Revisions to the\nguidelines will be completed by December 31, 2004.\n\nManagement\xe2\x80\x99s planned actions are responsive to the recommendation. The recommendation is\nresolved but will remain undispositioned and open until we have determined that agreed-to\ncorrective actions have been completed and are effective.\n\n\n\n\n                                               16\n\x0c                                                                                APPENDIX I\n\n\n                      OBJECTIVE, SCOPE, AND METHODOLOGY\n\nObjective and Scope\n\nThe objective of this audit was to determine whether the DRR\xe2\x80\x99s decisions for retaining and\npaying failed insured depository institution employees (former institution employees) who\nassist in the liquidation process are reasonable and adequately supported. The audit focused\non determining compliance with and adequacy of existing policies and procedures and\nidentifying opportunities for minimizing losses to the insurance funds through reduced\nexpenses associated with retaining former institution employees.\n\nOur audit scope included the four insured depository institutions that failed from\nJanuary 1, 2002 through October 31, 2003 and for which retention salaries, bonuses, and\nbenefits were paid for certain employees: Hamilton Bank, NA (Hamilton) of Miami, Florida;\nNextBank NA (NextBank) of Phoenix, Arizona; Connecticut Bank of Commerce of Stamford,\nConnecticut; and Southern Pacific Bank of Torrance, California. Those failed institutions\nwere selected based on the value of assets each institution had at closing, specifically, those\ninstitutions that had assets greater than or equal to $100 million.\n\nWe performed our work from October 2003 through April 2004 in accordance with generally\naccepted government auditing standards.\n\nMethodology\n\nWe focused on obtaining an understanding of the resolution process, especially the\ndecision-making process for retaining and paying former institution employees. In doing so,\nwe also obtained a general overview of selected aspects of the FDIC contracting process,\nwhich was key to the retention of former institution employees. A discussion of the activities\nwe performed during the audit follows.\n\nTo gain an understanding of the legislation, policies, and procedures regarding this subject,\nwe reviewed the:\n\n   \xe2\x80\xa2   Federal Deposit Insurance Act;\n   \xe2\x80\xa2   FDIC Improvement Act of 1991;\n   \xe2\x80\xa2   FDIC\xe2\x80\x99s Failed Financial Institution Closing Manual;\n   \xe2\x80\xa2   DRR\xe2\x80\x99s Resolutions Policy Manual; Resolutions Handbook; and Quick Guide to FDIC\n       Closings;\n   \xe2\x80\xa2   DRR\xe2\x80\x99s 2003 Strategic Plan; the FDIC 2003 Corporate Annual Performance Plan;\n       the 2002 DRR Accomplishments Report; as well as current initiatives and projects;\n   \xe2\x80\xa2   DRR\xe2\x80\x99s 2002 Management Control Plan and Listing of Accountability Units;\n   \xe2\x80\xa2   FDIC Directive 3700.16, FDIC Acquisition Policy Manual; and\n   \xe2\x80\xa2   FDIC policies and procedures related to privacy and personnel security, including\n       FDIC Directive 1610.2, Security Policy and Procedures for FDIC Contractors and\n       Subcontractors, dated August 1, 2003.\n\n\n\n                                              17\n\x0c                                                                                 APPENDIX I\n\nOur methodology also included interviewing DRR Receivership Operations and Internal\nReview management and staff in Washington, D.C., and Dallas, Texas. We also interviewed\nDRR and DOA contracting officials. Additionally, we obtained an understanding of the\nresolution process and each institution closing within our sample. Finally, we reviewed\nspecific controls in place related to DRR\xe2\x80\x99s consideration of retention strategies and decisions.\n\nTo determine whether DRR\xe2\x80\x99s decisions for retaining and paying former institution\nemployees was reasonable, we assessed the:\n\n   \xe2\x80\xa2   number of former institution employees retained to assist in the resolution process;\n   \xe2\x80\xa2   terms and conditions of retention packages, including amounts of retention salaries,\n       bonuses, and benefits paid to the former institution employees;\n   \xe2\x80\xa2   period during which the former institution employees would be retained and paid\n       until they were released; and\n   \xe2\x80\xa2   reasons the former institution employees were considered critical for the resolution\n       process.\n\nTo determine whether DRR\xe2\x80\x99s decisions for retaining and paying former institution\nemployees were adequately supported, we assessed the following:\n\n   \xe2\x80\xa2   Key documents related to DRR\xe2\x80\x99s decisions for retaining and paying former institution\n       employees for each of the four failed institutions, including:\n\n       o strategic resolution plans for language regarding the anticipated number, need,\n         cost, and length of time for retaining and paying former institution employees;\n       o cases requesting expenditure authority for retaining and paying former institution\n         employees; and\n       o contract records, including the Statements of Work, and FDIC general contract\n         provisions relating to payroll services contractors and asset management\n         contractors used to hire former institution employees to perform failed institution\n         work.\n\n   \xe2\x80\xa2   The case requesting expenditure authority for hiring former institution employees to\n       ascertain whether: (1) matters giving the appearance of an unusual, excessive, or\n       unreasonable nature, such as the payment of retention bonuses, should be brought to\n       the attention of FDIC management, and (2) the retention payment ceilings were set.\n\nIn addition, regarding sensitive financial and customer information, we interviewed DRR and\nDOA officials to determine:\n\n   \xe2\x80\xa2   the specific FDIC and DRR information systems used at receiverships;\n\n   \xe2\x80\xa2   access privileges granted to contractor and former institution employees in using\n       FDIC and DRR information systems;\n\n\n\n\n                                              18\n\x0c                                                                                APPENDIX I\n\n\n   \xe2\x80\xa2   whether background investigations and fingerprint checks were performed for\n       contractor/former institution employees; and\n\n   \xe2\x80\xa2   whether any of the four failed institutions in our audit had a personnel security\n       program and, if so, the steps taken by either the contractor or the FDIC, in addition to\n       meeting contract requirements, to ensure that the program was adequate before\n       former institution employees were brought on board.\n\nOur methodology also included the following:\n\n   \xe2\x80\xa2   Reviewing FDIC contracts with payroll services contractors and asset management\n       contractors for provisions related to personnel security.\n\n   \xe2\x80\xa2   Interviewing headquarters officials, including DRR\xe2\x80\x99s Information Security Officer,\n       DOA Security Staff, a Legal Division attorney, and OIG Counsel.\n\n   \xe2\x80\xa2   Verifying the accuracy of DRR\xe2\x80\x99s comparison of names of contractor/former\n       institution employees employed at the four failed institutions with data in the FDIC\xe2\x80\x99s\n       Access Control Entry System to ascertain whether the employees had system access\n       during closings and post-closings.\n\n   \xe2\x80\xa2   Reviewing prior OIG audit and evaluation reports covering FDIC information,\n       personnel, and systems-specific security:\n\n       o FDIC\xe2\x80\x99s Personnel Security Program (Report No. 04-016, dated March 30, 2004)\n       o Implementation of the Gramm-Leach-Bliley Act Privacy Provisions (Report No.\n         03-044, dated September 26, 2003)\n       o Control Over Use and Protection of Social Security Numbers by Federal\n         Agencies (Report No. 03-012, dated February 14, 2003)\n       o Information Security Management of FDIC Contractors (Report No. 03-043,\n         dated September 23, 2003)\n       o FDIC\xe2\x80\x99s Information Handling Practices for Sensitive Employee Data (Report No.\n         00-006, dated October 10, 2000)\n\n\n\n\n                                              19\n\x0c                       APPENDIX II\n\n\n\nCORPORATION COMMENTS\n\x0c                       APPENDIX II\nCORPORATION COMMENTS\n\n\n\n\n         21\n\x0c                                                                                                                                          APPENDIX III\n\n\n\n                                    MANAGEMENT RESPONSE TO RECOMMENDATIONS\nThis table presents management\xe2\x80\x99s response to the recommendations in our report and the status of the recommendations as of the date of\nreport issuance.\n                                                                                                                                                     Open\n Rec.                                                                    Expected            Monetary       Resolved:a     Dispositioned:b            or\nNumber         Corrective Action: Taken or Planned/Status             Completion Date        Benefits       Yes or No        Yes or No              Closedc\n  1         DRR will review current guidelines and, where             October 31, 2004         N/A             Yes              No                   Open\n            necessary, clarify or compose additional guidelines\n            for inclusion in the Failed Financial Institution\n            Closing Manual.\n\n     2      DRR, in conjunction with DOA, will establish              December 31, 2004         N/A            Yes               No                  Open\n            guidelines to address receiverships that are\n            considered long-term in nature.\n\n     3      DRR will review the risk assessment guidelines            December 31, 2004         N/A            Yes               No                  Open\n            contained in DOA Directive 1610.2 and will revise\n            the Closing Manual as it pertains to the retention of\n            employees of a failed institution and their\n            involvement with customer information in a long-\n            term receivership.\n\n     4      DRR will develop guidelines in the Closing Manual         December 31, 2004         N/A            Yes               No                  Open\n            requiring documentation of a risk assessment and a\n            notation in the post Strategic Resolution Plan that the\n            assessment has been completed.\n\na\n    Resolved \xe2\x80\x93    (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n                  (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n                  (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as\n                  long as management provides an amount.\nb\n  Dispositioned \xe2\x80\x93 The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved\nthrough implementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the\nrecommendation.\nc\n  Once the OIG dispositions the recommendation, it can then be closed.\n\n                                                                             22\n\x0cAPPENDIX III\n\x0c"